Passkeys Q and A with Christiaan Brand, Group Product Manager at Google

If you use Gmail, you recently received an email from Google letting you know that your personal email account is now protected by a passkey, you no longer need to have a password to gain access to your Gmail Account.

Passkeys are arguably one of the most significant advances in protecting accounts in the last several years and are a harbinger of a sea change in cybersecurity that will eventually lead to the demise of the password. 

We have some questions about passkeys and thought you might too.

Google offered Defending Digital Campaigns an opportunity to pose some questions to Christiaan Brand, Group Product Manager at Google, leading their rollout of passkey. 

DDC: What is a passkey and how does it work?

CB: You can think of a passkey in the same way you think of a password. The only difference is that you don’t remember a passkey. Instead, it’s stored on a device such as your phone or computer. Whenever you want to log in somewhere, you prove your identity to your device (typically, by unlocking it with a fingerprint or face scan) and the device in turn proves that it has access to the passkey to the remote website. There’s nothing to remember and nothing to type. And best of all: passkeys cannot be phished like traditional passwords.

DDC: Since a passkey will, in most cases, involve the use of a biometric–fingerprint, face scan, etc.–some people may be concerned about how that data is secured and who has access to it. Can you explain that?

CB: Your biometric data is never shared with Google or any other third party – the screen lock only unlocks the passkey locally and neither your passkey or biometric data is transmitted to any remote service in any way. 

DDC: I already login to my phone and other devices and apps with a biometric. I am using passkeys or is there something else that is going to change?

CB: Today, users use a mixture of biometrics and passwords to log in to online services. With passkey, we’re hoping to systemically move all logins away from passwords. Mobile applications started their transition to biometrics a while ago, while websites could not harness the technology. With passkeys, we are delivering the convenience and security of authentication by simply “unlocking your device” everywhere.

DDC: Is implementing a passkey optional?

CB: Today, yes. But over time we are hoping all users will migrate over to the use of passkeys over passwords for their security.

DDC: Passkeys are not a solo effort by Google but part of a larger industry effort to advance cybersecurity. Can you shed some light on this collaborative effort and the importance of an industry-wide approach?

CB: Passkeys are the result of more than a decade of collaboration with like-minded companies as part of the FIDO Alliance. In security, it’s often a case of the rising tide that lifts all boats. We think that this technology will only be successful if we can change the way everyone thinks about authentication and signing in to services online. We are joined by many companies such as Apple, Microsoft, Facebook, Amazon, and others on this journey. 

DDC: What happens if I lose a device or account access? How do I regain access to my Google Account?

CB: On Apple devices, all your passkeys, including the one to your Google Account, are backed up to iCloud. That means that even if you lose your device, as long as you can sign back into your iCloud Account, you’ll have your passkeys available again to sign into your Google Account. On Android, your passkeys are backed up to the Google Password Manager. We highly recommend keeping a physical security key as a backup for access to your Google Account in case you lose all your other devices.

DDC: We know that the rollout to Gmail is just the first step. What are the future plans for passkeys and Google products?

CB: Passkeys are available for all Google products today, not only Gmail. Once you set up passkeys on your Google Account, all Google products are secured and accessible using passkeys. Today, users still need to take the step of navigating to g.co/passkeys and clicking on “Create a passkey” to get started with passkeys. Later this year, we have plans to make it even easier to get started with passkeys.

DDC: The promise of Passkeys is their usability across the internet with all kinds of web service providers. Do you have an estimate or maybe just an educated guess, about when passkeys will become the predominant way of accessing accounts ( we promise not to hold you to it)?

CB: I’d like to think that in a few years we will reach that tipping point where more users will use passkeys, than passwords. I do think it’s a somewhat aggressive timeline, but on the other hand, we’ve seen most major services jump onboard so maybe it’s within reach after all.

DDC Where can people learn more about passkeys and Google’s cybersecurity efforts?

CB: The best place to learn more would be at the Google Safety Center: https://safety.google/cybersecurity-advancements/

DDC thanks Christiaan for answering these questions and all Google does to help secure campaigns and high-risk users in the political space.